WhatsApp Fixes Critical Zero-Click Spyware Vulnerability

WhatsApp Patches Serious Security Flaw Exploited by Spyware

WhatsApp has urgently addressed a critical security vulnerability that allowed sophisticated spyware attacks against Apple device users. The Meta-owned messaging platform confirmed it fixed the zero-click exploit, designated as CVE-2025-55177, which was being actively used to compromise iPhones and Mac computers without any user interaction.

Sophisticated Attack Campaign

The security flaw was discovered alongside a separate iOS and macOS vulnerability tracked as CVE-2025-43300, which Apple patched last week. When chained together, these vulnerabilities created a powerful attack vector that enabled complete device compromise. According to Amnesty International's Security Lab director Donncha Ó Cearbhaill, this represented an "advanced spyware campaign" targeting specific individuals over the past 90 days.

Meta spokesperson Margarita Franklin confirmed that the company detected and patched the vulnerability "a few weeks ago" and sent notifications to "less than 200" affected WhatsApp users. The attacks specifically targeted Apple device users through the WhatsApp platform, demonstrating the evolving sophistication of state-sponsored surveillance tools.

Zero-Click Exploitation Mechanism

Zero-click attacks represent the most dangerous category of security threats because they require no user interaction. Unlike traditional phishing attacks that require clicking malicious links, zero-click exploits can silently compromise devices through seemingly legitimate communications. In this case, the WhatsApp vulnerability allowed attackers to deliver malicious payloads that could extract sensitive data including messages, contacts, and device information.

The technical sophistication suggests involvement of professional surveillance vendors rather than amateur hackers. While Meta did not attribute the attacks to specific actors, the pattern aligns with known government-sponsored surveillance campaigns that typically target journalists, activists, and political dissidents.

Historical Context of WhatsApp Vulnerabilities

This incident marks the latest in a series of security challenges facing WhatsApp. In May 2025, a U.S. court ordered spyware maker NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign that compromised over 1,400 users with Pegasus spyware. Earlier this year, WhatsApp disrupted another spyware campaign targeting approximately 90 users across Italy, including journalists and civil society members.

The recurring pattern highlights the ongoing arms race between messaging platforms and sophisticated surveillance actors. WhatsApp's end-to-end encryption provides strong protection against mass surveillance but targeted attacks using zero-day vulnerabilities remain a significant threat.

Protection and Recommendations

Users should ensure they have updated to the latest versions of both WhatsApp and their device operating systems. Apple released patches for iOS and macOS last week, while WhatsApp has deployed server-side fixes. The coordinated response between Meta and Apple demonstrates improved industry collaboration in addressing sophisticated threats.

Security experts recommend enabling automatic updates, using two-factor authentication, and being cautious about unexpected messages from unknown contacts. While zero-click attacks are difficult to prevent individually, maintaining updated software significantly reduces vulnerability exposure.

The incident underscores the importance of continued security research and transparent vulnerability disclosure processes. As messaging platforms become increasingly central to modern communication, their security becomes correspondingly critical for user privacy and safety.